APD/GBA (Belgium) - 136/2022

From GDPRhub
Revision as of 09:58, 4 October 2022 by Kv (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=Decision 136-2022 |E...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - Decision 136-2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(1) GDPR
Article 12(3) GDPR
Article 12(4) GDPR
Article 15(1) GDPR
Article 15(3) GDPR
Type: Complaint
Outcome: Upheld
Started: 21.06.2022
Decided: 26.09.2022
Published: 02.10.2022
Fine: n/a
Parties: n/a
National Case Number/Name: Decision 136-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: GBA (in NL)
Initial Contributor: n/a

The controller refused to provide access to freeze frame data of a vehicle to the data subject. The DPA held that the controller had to provide an answer to the request within 14 days.

English Summary

Facts

The data subject made an access request for a full diagnosis report with freeze frame data regarding his vehicle to the car company (controller). The data subject stated that it did so as part of implementation of an expertise. The controller answered this request within the term of one month (Article 12(3) GDPR), but stated that the requested data could not be transferred to the data subject. This was because of the ban on sharing internal documents with third parties outside the car brand network. This ban was internal company policy. It is possible for controllers to reject an access request but it must provide a reason why it didn’t comply with the request (Article 12(4) GDPR) to the extent that there is a legal ground for restricting the right of access


Holding

The DPA held that data concerning the vehicle of the complainant is personal data (Article 4(1) GDPR), since the complainant can be identified on the basis of his vehicle. The DPA held that solely on the basis of the internal company policy, the controller cannot deny the right of access of a data subject to its personal data. The data subject is a customer of the controller and has the right to a copy of the personal data being processed, if necessary in electronic form (Article 15(3) GDPR). The internal company policy wasn’t sufficient justification for the controller to deny the data subject the information he requested. The DPA held that this was basically the controller unilaterally infringing the data subjects right to access its own personal data. This was unacceptable for the DPA. The DPA held that the controller violated Articles 15(1) and 15(3) GDPR. The controller had to make a decision regarding the access request within 14 days.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                                                                   1/6







                                                                                  Dispute room



                                                   Decision 136/2022 of 26 September 2022





File number : DOS-2022-02599



Subject : Exercise of the right of access without the controller

results in it


The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,

single chairperson;



Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on

the protection of natural persons with regard to the processing of personal data and
on the free movement of such data and repealing Directive 95/46/EC (General

Data Protection Regulation), hereinafter GDPR;



Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;


Having regard to the internal rules of procedure, as approved by the Chamber of Representatives

on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;



Having regard to the documents in the file;




has taken the following decision regarding:

                                                                                                  .
The complainant: Mr X, hereinafter referred to as “the complainant”; .

                                                                                                  .

The controller: Y, hereinafter “the controller” Decision 136/2022 - 2/6




I. Facts procedure


    1. On 21 June 2022, the complainant submitted a request for mediation to the

        Data Protection Authority, handled by the Frontline Service. Since the

        mediation procedure did not lead to a favorable outcome given the lack of response

        on behalf of the controller, pursuant to that determination, with the consent of the

        the complainant converted the request for mediation on 8 August 2022 into a complaint against the

        controller.

    2. The subject of the complaint concerns the exercise of the right of access by the complainant who

        data controller has requested to send him the complete diagnosis report with freeze

        want to transfer frame data concerning his vehicle in the context of the execution of a

        expertise. The controller has replied to this request within the legal

        term of one month (Article 12.3 GDPR), but stated that the requested data cannot be

        be transferred to the complainant in view of the prohibition to share internal documents with

        third parties outside the car brand network .

    3. On August 9, 2022, the complaint will be declared admissible by the Frontline Service on the basis of

        Articles 58 and 60 WOG and the complaint on the basis of art. 62, §1 WOG transferred to the

        Dispute room.





II. Justification


    4. First of all, the Disputes Chamber clarifies that the data concerning the vehicle of the

        complainant must be regarded as personal data, since the complainant on the basis of

        his vehicle data can be identified within the meaning of Article 4. 1) GDPR .


    5. Although the controller has responded to the complainant's request within

        the legal period of one month (Article 12.3 GDPR), it has refused to grant the complainant the
        to provide requested data due to the ban on sharing internal documents with

        third parties outside the car brand network . It is possible for the controller to

        not to comply with the request for access provided that it is stated why the request is made without







1Article 4 GDPR.

For the purposes of this Regulation:
1) 'personal data' means any information relating to an identified or identifiable natural person ('the data subject'); if
identifiable is a natural person who can be identified, directly or indirectly, in particular by reference to a
identifier such as a name, an identification number, location data, an online identifier or of one or more elements that
characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural
person; Decision 136/2022 - 3/6



                                                        2
          has remained effective (Article 12.4 GDPR) to the extent that there is a legal ground for limiting

          the right of access.


     6. The Disputes Chamber rules that solely on the basis of the internal company policy, the right cannot

          the complainant will be denied access to the complainant pursuant to Article 15.1 of the GDPR

          concerning data. The complainant is a customer of the controller and has

          right to a copy of the personal data being processed, if necessary in electronic form

          form (article 15.3 GDPR). That the internal company policy would prevent data concerning

          customer vehicles – which identify these customers so that these

          data are in fact personal data – to be provided does not constitute sufficient motivation

          to refuse the complainant the information requested by him. The internal ban on which the

          controller invokes to share data with third parties, cannot be

          invoked against the customers as such, as this will result in the controller

          unilaterally prejudices the complainant's right to access his own data. This

          would mean that the rights of the complainant are set aside in function of a


          internal prohibition, which cannot be accepted. Consequently, the Disputes Chamber deems demotivation

          on which the controller invokes the provision of the data to the

          to refuse the complainant is not admissible and the complainant is in this case entitled to the data of the complainant

          concerning vehicle.


     7. The Disputes Chamber determines on the basis of the documents that support the complaint that the complainant is entitled to

          exercised access to, but the controller wrongly refused

          to follow up on it. As a result, the controller has acted in violation of

          article 15.1. and 15.3 GDPR. 3




2See also Recital 59 GDPR. […] The controller should be obliged without undue delay and at the latest within one month

to respond to a request from the data subject, and to state the reasons for any intended refusal to comply with such
requests to comply.
3Article 15 GDPR

1. The data subject has the right to obtain confirmation from the controller as to whether or not he/she is being processed
concerning personal data and, where that is the case, to obtain access to that personal data and the following
information:

a) the processing purposes;
b) the categories of personal data concerned;

c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in
third countries or international organisations;
d) if possible, the period for which the personal data is expected to be stored, or if not
possible, the criteria for determining that term;

e) that the data subject has the right to request the controller to rectify or erase personal data,
or that the processing of personal data concerning him is restricted, as well as the right to object to such processing;

f) that the data subject has the right to lodge a complaint with a supervisory authority;
g) where the personal data are not collected from the data subject, any available information about the source of that data;

(h) the existence of automated decision-making, including the profiling referred to in Article 22(1) and (4), and, at least
in those cases, useful information about the underlying logic, as well as the importance and expected consequences of that processing for the
person concerned.

[…] Decision 136/2022 - 4/6




    8. The Disputes Chamber is of the opinion that on the basis of the above analysis,

        concluded that a breach of the provisions of the

        GDPR was committed, which justifies the taking of a

        decision on the basis of Article 95, §1, 5° WOG, more specifically to inform the controller

        Orders to comply with the complainant's exercise of his right of access (Article

        15.1 and 15.3 AVG) and this in particular in view of the documents that the complainant has provided from which

        it appears that the complainant has indeed exercised his right of access, but the

        controller has refused to comply with this.


    9. The present decision is a prima facie decision made by the Disputes Chamber

        in accordance with article 95 WOG on the basis of the complaint submitted by the complainant, in the context of

        the ‘procedure prior to the decision on the merits’ and not a decision on the merits of the

        Disputes Chamber within the meaning of Article 100 WOG.


    10. The purpose of this decision is to notify the controller of the

        fact that it may have infringed the provisions of the GDPR and that it is in the

        possibility to still conform to the aforementioned provisions.


    11. However, if the controller does not agree with the contents of this

        prima facie decision and considers that it may allow factual and/or legal arguments

        funds that could lead to a different decision, can be sent to the email address

        litigationchamber@apd-gba.be address a request for treatment on the merits of the case to the

        Disputes Chamber and this within the period of 14 days after notification of this decision. The

        enforcement of this decision will, if necessary, be during the aforementioned period

        suspended.


    12. In the event of a continuation of the handling of the case on the merits, the Disputes Chamber will

        the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG invite their

        to submit defenses and to attach to the file any documents they deem useful. The

        If necessary, this decision will be definitively suspended.


    13. For the sake of completeness, the Disputes Chamber points out that a hearing of the merits of the case can be

        lead to the imposition of the measures referred to in Article 100 WOG. 5




4
 Section 3, Subsection 2 WOG (Articles 94 to 97).
51° to dismiss a complaint;
 2° order the suspension of prosecution;
 3° order the suspension of the judgment;
 4° propose a settlement;
 5° to formulate warnings and reprimands;
 6° order compliance with the data subject's requests to exercise his or her rights;
 7° to order that the data subject is informed of the security problem;

 8° order that the processing be temporarily or permanently frozen, restricted or prohibited;
 9° to order that the processing is brought into conformity;
 10° rectification, restriction or deletion of data and its notification to data recipients in Decision 136/2022 - 5/6




    14. Finally, the Disputes Chamber points out the following:


        If one of the parties wishes to make use of the possibility to consult and

        copying the file (art. 95, §2, 3° WOG), this should contact the secretariat

        of the Disputes Chamber, preferably via litigationchamber@apd-gba.be, in order to make an appointment

        to capture.

        If a copy of the file is requested, the documents will be sent electronically if possible

        or else delivered by regular mail. 6




III. Publication of the decision


    15. Given the importance of transparency in the decision-making of the

        Litigation Chamber, this decision is published on the website of the

        Data Protection Authority. However, it is not necessary that the identification data

        of the parties be published directly.



































command;
 11° order the withdrawal of the recognition of certification bodies;

 12° to impose periodic penalty payments;
 13° impose administrative fines;
 14° order the suspension of cross-border data flows to another State or an international institution;
 15° to hand over the file to the public prosecutor's office in Brussels, who will inform it of the consequence that the
file is given;
 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority.
6Due to the extraordinary circumstances due to COVID-19, the possibility of collection at the secretariat of the
Dispute room NOT provided. In addition, all communication is in principle electronic. Decision 136/2022 - 6/6






    FOR THESE REASONS,

    the Disputes Chamber of the Data Protection Authority decides, subject to the

    submission of a request by the controller for processing on the merits

    in accordance with article 98 et seq. WOG, to:

   - on the basis of article 58.2, c) AVG and article 95, 1.5° WOG to the controller

       order compliance with the data subject's request to exercise their rights,

       in particular the right of access (Article 15.1 and 15.3 GDPR), and to proceed with the provision

       to the complainant of the information requested by him, within the period of 14 days

       count from the notification of this decision;

   - order the controller to the Data Protection Authority

       (Dispute Chamber) by e-mail within the same period of the result

       of this decision via the e-mail address litigationchamber@apd-gba.be; and

   - in the absence of the timely execution of the above by the

       controller, to handle the case on the merits ex officio in accordance with

       Articles 98 et seq. WOG.





Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification

appeal against this decision to the Marktenhof (Brussels Court of Appeal), with the

Data Protection Authority as Defendant.

Such an appeal may be lodged by means of an adversarial petition that the

1034terof the Judicial Code, the statements listed should contain .The application to

contradiction must be submitted to the registry of the Market Court in accordance with Article

1034quinquiesof the Ger.W. , or via the Justice Deposit Information System (Article 32ter of

the Ger.W.).






(get). Hielke Hijmans

Chairman of the Disputes Chamber




7The petition states on pain of nullity:
 1° the day, month and year;
 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
    company number;
 3° the name, first name, place of residence and, where applicable, the capacity of the person to be summoned;
 4° the subject matter and the brief summary of the grounds of the claim;
 5° the court before whom the claim is brought;
 6° the signature of the applicant or of his lawyer.

8The application with its annex is sent, in as many copies as there are parties involved, by registered letter to the
clerk of the court or at the registry.